Application and properties
1.4 Industrial Ethernet Security
CP 1243-1
14 Operating Instructions, 12/2016, C79000-G8976-C365-02
Security functions of the CP
As a result of using the CP, as a security module, the following security functions are
accessible to the S7-1200 station on the interface to the external network:
●
– IP firewall with stateful packet inspection (layer 3 and 4)
– Firewall also for "non-IP" Ethernet frames according to IEEE 802.3 (layer 2)
– Limitation of the transmission speed ("Bandwidth limitation")
– Global firewall rules
●
Communication made secure by IPsec tunnels (VPN)
VPN tunnel communication allows the establishment of secure IPsec tunnels for
communication with one or more security modules.
The CP can be put together with other modules to form VPN groups during configuration.
IPsec tunnels (VPN) are created between all security modules of a VPN group. All
internal nodes of these security modules can communicate securely with each other
through these tunnels.
●
To allow monitoring, events can be stored in log files that can be read out using the
configuration tool or can be sent automatically to a Syslog server.
●
For secure transfer during time-of-day synchronization
●
For secure transmission of network analysis information safe from eavesdropping
●
Protection for devices and network segments
The protection provided by the firewall can cover individual devices, several devices or
even entire network segments.
Note
Plants with security requirements - recommendation
Use the following options:
If you have systems with high security requirements, use the secure protocols
NTP (secure), HTTPS and SNMPv3.
If you connect to public networks, you should use the firewall. Think about the services
you want to allow access to the station via public networks. By using the "bandwidth
limitation" of the firewall, you can restrict the possibility of flooding and DoS attacks.
Security recommendations (Page 33).
For configuring the security functions refer to the section Security (Page 47).
You will find further information on the functionality and configuration of the security functions
in the information system of STEP 7 and in the manual /4/ (Page 110).
To Next Page
Loading...
Need help?
General
